So a little back story I have been going down the self taught path for software development for the last 4 years or so. Naively I thought I could manage a server looking after a family members business that was hosting their ERP software.

Yesterday I noticed some suspicious requests in the log file looking for files such as “/.env” among others, most of these returned 4xx status codes, a few formatted as get requests “?url=.env” were ignored and the server just returned the home page but I spent most of the day hardening the security.

Here is where we get to the problem, on the server someone has logged in as the root user several times, no log of the commands they ran and their IP has been reported on AbuseIPDB 8 times.

Any advice on next steps would be appreciated.